How to Hack Grab’s Bug Bounty Program for Bigger Rewards

By /

Listen to this Post

Featured Image
Grab is offering increased payouts for critical and high-severity vulnerabilities from June 2-15. Here’s how you can maximize your chances of success in their bug bounty program.

Scope Targets

Web:

– `.myteksi.net`
– `.grab.com`

Mobile:

– `com.grabtaxi.passenger`
– `ovo.id`

Bounty Multipliers:

  • Critical findings: 1.5× payout (up to $22,500)
  • High findings: 1.25× payout (up to $9,375)

You Should Know:

1. Reconnaissance & Subdomain Enumeration

Start with subdomain discovery using tools like:

subfinder -d grab.com -o grab_subdomains.txt 
amass enum -d grab.com -o grab_amass.txt

Check for misconfigurations with Nuclei:

nuclei -l grab_subdomains.txt -t ~/nuclei-templates/misconfiguration/

2. Web Application Testing

Run Burp Suite or OWASP ZAP for automated scanning: 

zap-cli quick-scan -s xss,sqli -u https://target.grab.com

Test for IDOR (Insecure Direct Object Reference) manually by altering request parameters.

3. Mobile App Testing (Android)

Extract APK using adb:

adb pull /data/app/com.grabtaxi.passenger/base.apk

Decompile with JADX:

jadx-gui base.apk

Check hardcoded secrets in SharedPreferences or API keys.

4. API Security Testing

Intercept API calls via Burp Suite and fuzz endpoints with ffuf: 

ffuf -u https://api.grab.com/v1/FUZZ -w common_api_endpoints.txt

5. Reporting & Maximizing Rewards

  • Document clear reproduction steps.
  • Provide impact analysis (e.g., data leakage, account takeover).
  • Submit via HackerOne.

What Undercode Say:

Grab’s increased bounty rewards present a prime opportunity for security researchers. Focus on logical flaws (e.g., payment bypass) and authentication weaknesses (e.g., JWT tampering). Automation helps, but manual testing often uncovers high-value bugs.

Prediction:

Expect a surge in submissions, particularly in mobile app vulnerabilities (e.g., insecure deep links) and API misconfigurations (e.g., excessive data exposure).

Expected Output:

  • Critical Bug Report Example:
  • Account Takeover via JWT Manipulation
  • Impact: Full user compromise
  • Payout: $22,500

  • High-Severity Bug Report Example:

  • SQLi in Booking API Endpoint
  • Impact: Database leakage
  • Payout: $9,375

Happy Hunting! 🔥

URL: Grab’s HackerOne Program

IT/Security Reporter URL:

Reported By: Hackerone Bugbounty – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: